LWN.net Logo

Not logged in

Log in now

Create an account

Subscribe to LWN

Recent Features

An unexpected perf feature

LWN.net Weekly Edition for May 16, 2013

A look at the PyPy 2.0 release

PostgreSQL 9.3 beta: Federated databases and more

LWN.net Weekly Edition for May 9, 2013

Printable page
Weekly edition Kernel Security Distributions Contact Us Search
Archives Calendar Subscribe Write for LWN LWN.net FAQ Sponsors

True randomness

True randomness

Posted Mar 30, 2012 16:53 UTC (Fri) by alankila (subscriber, #47141)
In reply to: True randomness by man_ls
Parent article: Russell: Sources of Randomness for Userspace

While this all sounds appropriately cryptic,
dark and foreboding, it seems more relevant
to ask if there are any practical
attacks against urandom. It seems
to me that the existing entropy
could be used to fully replace
urandom's seed several times per second.

(Log in to post comments)

True randomness

Posted Mar 30, 2012 17:09 UTC (Fri) by man_ls (subscriber, #15091) [Link]

See, the problem about randomness (and probably why you perceive my message as cryptic and foreboding) is that it can only be defined in the negative. The complete absence of patterns is basically impossible to prove; it can only be suspected.

But I see you like your solutions simple and your answers straight. Your hypothesis is easy to test: 

  $ cat /dev/random
and see how quickly it fills out. For me it is barely enough to reseed urandom (32 bytes) once a minute, while using it; if I leave it alone it seems to take quite longer.

As to practical attacks against /dev/urandom: I hope that there are none because then I fear all my communications (and most in the world) would be vulnerable. But perhaps the NSA (or other sinister organizations) have a few of their own.

True randomness

Posted Mar 31, 2012 16:47 UTC (Sat) by alankila (subscriber, #47141) [Link]

I just tested this. It seems that entropy collection takes very long time indeed. What a pity. Apparently there's just a kernel buffer that contains gathered entropy, and consuming that entropy allows me to see that it will be replenished rather slowly. So the statistic munin graphs me is not the rate of entropy generation, but merely the amount of available entropy.

Somehow this multi-gigahertz multi-core machine and all its myriad peripherals together are not harvested for more entropy than about 10 bits per second.

True randomness

Posted Mar 31, 2012 16:52 UTC (Sat) by man_ls (subscriber, #15091) [Link]

Right, that is where haveged should help. Whether it works well in virtualized machines remains to be seen.

True randomness

Posted Mar 31, 2012 15:25 UTC (Sat) by man_ls (subscriber, #15091) [Link]

While this all sounds appropriately cryptic, dark and foreboding,
By the way, the foreboding part is not just theoretical. See precisely this week's security QotW:
I believe that what the "top official" was referring to is attacks that focus on the implementation and bypass the encryption algorithm: side-channel attacks, attacks against the key generation systems (either exploiting bad random number generators or sloppy password creation habits) [...]
Guess who employs thousands of cryptographers precisely to study these vulnerabilities. If the NSA had found a vulnerability in /dev/urandom (or ten) they would probably not publish them. "No known attacks" in cryptography seems to be a meager consolation, but in RNGs it is doubly so.

Copyright © 2013, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds